Professional Documents
Culture Documents
aspx
• http://www.youtube.com/user/Networking4a
ll?v=iRoenMHx6LQ&feature=pyv&ad=791097
6668&kw=network
Definition
• Explicitly or implicitly, safeguarding assets is an
inescapable fiduciary obligation bestowed on
managers; whether the entity exists for-profit or
not-for-profit.
– Fiduciary duties are an inherent managerial
responsibility correlated to accountability that can be
conveyed through legislation, regulation, or
expectation.
– Foundationally, an operating entity’s very existence is
usually heavily dependent on how well employees
safeguard assets utilized in fulfilling the organizational
mission.
Assumption
• Assumption for safeguarding assets should
span the entity’s total tangible and intangible
resources. Specifically, information and
associated technologies are assets requiring
appropriate investments in protective
measures to retain intrinsic value.
Requirement
• Safeguarding IT resources usually requires an
information security governance (ISG) framework
rendering essential information asset coverage.
• An entity’s management can adopt the
– Information Systems Audit and Control Association’s
(ISACA’s) Control Objectives for Information and
related Technology (COBIT) framework, promulgated
by the Information Technology Governance Institute,
to ensure adequate ISG and/or the International
Organization for Standardization (ISO) 27002
methodology.
Control Objectives for Information and
Related Technology.
COBIT FRAMEWORK
IT Resources From COBIT
The Flow Chart of Information Syste,
The Structure of The Audit
The Flow Chart of IS Audit from COBIT
Information, Application, and
Infrastructure
• Information encompasses utilizable objects,
structured and non-structured data, and
presentation formats.
• Applications are deemed the sum of manual
and programmed procedures.
• Whereas, the infrastructure is defined as
hardware, operating systems, configuration
systems, facilities, and support structure.
The Cube
COBIT AUDIT STEPS
Acquisition and Implementation
Delivery and Support
Monitoring
IT gov. = indispensable
• With IT considered indispensable for providing
processing efficiencies, communication
expediency and information reliability, entities
should govern safeguarding information
assets through an ISG program. To accomplish
this security necessity, management normally
needs a governance framework enabling
organizational alignment, adequate resource
allotments, risk management, value delivery
and performance measurement.
Governance - subset
• Whether information security governance is
abstractively viewed as a distinct governance
classification supporting entity governance or
a subset of information technology
governance, safeguarding IT normally
mandates addressing responsibilities
separation and
‘protection-of-information-assets’ to assure
managerial due diligence.
Example
Control Environment Consideration
Control Environment Consideration
Information and Communication
Risk Assessment Consideration
Monitoring Consideration
Monitoring Consideration
Evaluating information system
effectiveness
and efficiency
•SECTION ONE - Why study effectiveness?
a system;
division throughout the organization, but may want to first establish its
effectiveness;
excessive down
time and idle time
slow system
data loss
response time
excessive
slow system
maintenance
response time
costs
inability to
unreliable system interface with new
outputs hardware/softwar
e
Two approaches to measurement of
system
effectiveness
Goal-centered view - does • Conflicts as to priorities, timing etc. can lead to objectives
met
system achieve goals set in the short run by sacrificing fundamental system qualities,
out? leading to long run decline of effectiveness of the system
System resource view - • If the qualities exist, then information system objectives, by
desirable qualities of a inference, should be met. By measuring the qualities of the
system system
are identified and their levels may get a better, longer-term view of a system's
are measured. effectiveness.
Relative evaluation - auditor compares the Absolute evaluation - the auditor assesses the
state of goal size of the
accomplish. after the system implemented, goal accomplish. after the system has been
with the state implemented.
of goal accomplishment before system • Operational effectiveness,
implemented. • Technical effectiveness, and
• Improved task accomplishment, and • Economic effectiveness.
• Improved quality of working life.
Task Accomplishment - an effective I/S
improves the task accomp. of its users.
Auditor
examines how
well a system • Frequency of use,
meets its goals
from the • Nature of use,
viewpoint of a
user who • Ease of use, and
interacts with
the
system on a • User satisfaction.
regular basis
Frequency and Nature of Use
User satisfaction -
has become an
important measure
of
• problem finding,
operational
effectiveness problem
because of the
difficulties and
problems
solving, input,
associated with
measures of
processing,
frequency of use,
nature of use, and report form
ease of use.
Technical Effectiveness Objectives -
Must be defined in
terms of a unit of In an interactive system it
In a batch system the unit of may be a job consisting of
work and the priority work usually is a job. multiple transactions, or a
categorization given single transaction.